Meta

Monitor your network for new hosts using arpwatch

Submitted by admin, on April 15th, 2012

For computers to communicate with each other over a network, they need to be able to know how to convert a IP address, into the physical address of the network card (MAC address). If your computer doesn’t have the MAC address for the specific host you are trying to communicate with, your computer will send out a broadcast ARP request, to find out who owns the IP you are trying to contact.

These ARP requests are broadcast out over a LAN, and are limited by the broadcast domain (generally broadcast over all ports on a switch, but not through a router).

By monitoring these ARP broadcasts, you can identify new computers that are connected to the network.

Arpwatch is a tool that does just that. It monitors the network, keeps track of MAC addresses, and if there are any new ones detected on the network, it can email you.

This is a great tool if you want to ensure there are no rouge computers, or wireless access points connected to your network.

This guide will focus on installing/setup on a Ubuntu system. Other distributions also will be similar.

Install arpwatch:

$ sudo apt-get -y install arpwatch

If using ubuntu, you will need to modify the /etc/arpwatch.conf file to specify which device the listen on, and which account to email.

As you can see above, it records the hostname (if applicable), the IP address, which interface it was detected on, the hardware/MAC address, what vendor owns that specific hardware/MAC address, and the timestamp of when it was detected.

New arp addresses will also be logged to /var/log/syslog.

For more information, check the arpwatch man page by running ‘man arpwatch’.